Hacked
Edward Glowacki
glowack2@msu.edu
Mon, 15 Jan 2001 16:39:24 -0500 (EST)
On Mon, 15 Jan 2001, Mike Szumlinski wrote:
> Someone just hacked my linux box. They replaced all the index.html files
> with their own little staple crap...
>
> My box isn't all that secure I'm sure, but I'd like to know what logs to
> check to see if maybe I can figure out at least when they got in, and how.
> Did they piggyback on someone else? I don't know. Any help would be
> appreciated.
>
> -Mike
Check everything in /var/log, especially messages. Read through
it, look for unusual stuff. Specifically you might look for:
* signs of port scanning (lots of denied requests to various services)
* lines that have lots of odd stuff in them (extra characters, line
noise, lots of spaces or AAAAAAAAA or anything that looks weird) that
might indicate some sort of buffer-overflow attack
* root logins at odd hours
Check your open ports ("netstat -an").
That's a start. If you still don't find anything, I might be able
to come up with some more. =)
Maybe it's time for me to dig out my old "Securing Unix" presentation
again and present at a meeting. Anyone interested?
--
Edward Glowacki glowack2@msu.edu
Technical Support Services
Michigan State University